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ABSTRACT 

An Intelligent Control System for reusable rocket engines is under development at NASA Lewis Research Center, 
The primary objective is to extend the useful life of a reusable rocket propulsion system while minimizing between flight 
maintenance and maximizing engine life and performance through improved control and monitoring algorithms and 
additional sensing and actuation. This paper describes current progress towards proof-of-concept of an Intelligent Control 
System for the Space Shuttle Main Engine. A subset of identifiable and accommodatable engine failure modes is selected 
for preliminary demonstration. Failure models are developed retaining only first order effects and included in a simplified 
nonlinear simulation of the rocket engine for analysis under closed loop control. The engine level coordinator acts as an 
interface' between the diagnostic and control systems, and translates thrust and mixture ratio commands dictated by mission 
requirements, and engine status (health) into engine operational strategies carried out by a multivariable control. Control 
reconfiguration achieves fault tolerance if the nominal (healthy engine) control cannot. Each of the aforementioned 
functionalities is discussed in the context of an example to illustrate the operation of the system in the context of a 
representative failure, A graphical user interface allows the researcher to monitor the Intelligent Control System and engine 
performance under various failure modes selected for demonstration. 

INTRODUCTION 


Propulsion 


Reusable rocket engines present a 
very challenging operational environment 
and requires high performance, low 
maintenance, and man-rated reliability 
levels. Multiple start-stop cycles cause 
thermal gradients with his*h thermal strains 
per cycle within the engine. High steady 
state operating stresses create large 
inelastic strains, High dynamic loads 
induce high cycle stresses. In the Space 
Shuttle Main Engine (SSME), an 
operational version of a reusable rocket 
engine, high performance and reliable 
operation have been achieved. However, 
originally predicted levels of usable life* 
have not been demonstrated and extensive 
between flight maintenance has resulted. 

Merrill and Lorenzo have 
proposed a framework outlining specific 
functionalities to improve the durability 
of the SSME which include active control 
of key engine parameters, real time 
diagnostics, and life extending controls 
A functional framework showing the various capabilities included in the Intelligent Control System (ICS) is given in 
Figure 1. The principal components include a distributed diagnostic system, an intelligent coordinator, and a 
rcconfigurable controller. The distributed diagnostic system is composed of sensor validation, a model based failure 
detector, a rule based failure detector, ReREDS (reusable rocket engine diagnostic system) and a diagnostic expert system. 
ReREDS is a condition monitoring/diagnostic software system developed during the past two years through a contract with 
System Control Technology (SCT) and Aerojet. The engine level coordinator in Figure 1 makes alterations to the controller 
using engine status information generated by the diagnostic system, and propulsion requirements passed down by the 
propulsion level coordinator as shown. Each SSME is part of the propulsion system for the orbit er vehicle and is 
orchestrated by the propulsion level coordinator which receives thrust vector commands from the flight controller to 
achieve mission success. Ultimately, the engine level coordinator must satisfy minimum thrust requirements while 
minimizing further component degradation and accommodating failed or degraded engine hardware. The reconfigurable 
controller takes requests generated by the coordinator, makes the changes gradually thereby minimizing engine transients, 
and computes the valve positions to achieve the requested behavior from the engine. 



Figure 1 Intelligent Control System Functional Framework 
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This paper describes an ongoing research program at the NASA Lewis Research Center to demonstrate an ICS for a 
reusable space propulsion system (SSME). A significant milestone for the ICS program is the successful integration of real 
time diagnostics with a reconfigurable control^ providing motivation for demonstration with a subset of accommodatable 
failure inodes. The focus of this work is on failure mode modelling, controls and coordination, and the graphical user 
interface. Detailed discussion of (lie distributed diagnostic system appears elsewhere**. An accommodation strategy for a 
particular failure mode is discussed in detail and simulation results are presented to clarify the various functionalities and 
potential benefits of the Intelligent Control System. 

FAILURE MODES 

Modelling failure modes for the ICS project presents a difficult challenge due to several competing objectives. 
On the one hand there is the desire to accurately describe the progress and effects of a given failure as it occurs. Typically, 
this requires models not only for the relevant fluid dynamics but for the structural dynamics as well. Such models are 
necessarily computationally intensive and time consuming to develop. On the other hand, there is the desire to maintain 
simple models such that real time simulation may be achieved with, existing computer hardware. The real time requirement 
is necessitated by the fact that the diagnostic system and controller under development will eventually be placed on an 
actual engine, and must therefore respond within the appropriate time scale. Simple failure models also require much less 
time to develop and are readily available for use in detection and accommodation studies for development of an expert 
system rule base. 

At this point in time, the focus of the project is proof of concept. Therefore, a philosophy of maximum simplicity 
has been adopted for the task of modelling rocket engine failures. By this we mean that the consequences of a given failure 
arc sought without regard to the cause or the relative time that the failure takes to develop. The following discussion details 
models for several failure modes selected for demonstration of an ICS. Motivation for their selection will be presented, 
along with a description of their implementation in the real time simulation model of the SSME-3. In addition, open loop 
transients of key engine parameters are provided to illustrate the qualitative behavior of the models. 


The following five failure modes have been selected for the preliminary ICS demonstration: a failure of a control 
sensor (P c )„ a frozen Fuel Preburner Oxidizer Valve (FPOV), a Low Pressure Fuel Turbo Pump (LPFTP) shaft seal system 
failure, a High Pressure Fuel Turbo Pump (HPFTP) turbine tip seal failure, and a High Pressure Oxidizer Turbo Pump 
(HPOTP) shaft seal system failure. One of the primary goals of the project is to examine a variety of techniques for failure 
detection and accommodation since no one is expected to perform well for all types of failures. The modes listed above 
cover a broad class of possible problems for the engine with the exception of bearing failures. Unfortunately, the real time 
engine simulation used for this work does not readily lend itself to including failure modes involving vibration, or other 
structural phenomena. 

Sensor failures and actuator failures are among the most straight forward to implement and require no modelling. 
Consequently, they have been omitted from the following discussion. The HPOTP shaft seal failure has been covered 
extensively elsewhere^ and will not be repeated here. 

FAILURE MODE MODELLING 

LPFTP Shaft Seal System Failure. The LPFTP shaft seal system prevents the relatively hot hydrogen gas which 
drives the low pressure turbine from mixing with the liquid hydrogen being driven through the low pressure pump. The 
seal system consists of two seals. One is a labyrinth seal located at the base of the second stage turbine blade. The other is a 
simple ring seal on the shaft itself. Since both of these are clearance type seals, a small amount of leakage occurs even during 
normal operation. This value is approximately .49 Ibm/sec. Using the perfect gas assumption the flow through the 
labyrinth seal may be written as 


miai>= 7T Cd d ClabPlpM \j - j C /(PR) ( 1) 

V RTjpHi 

where Cd is the discharge coefficient, d is the turbine disk diameter, ci„j> is the seal clearance, g c is the gravitational constant, 
R is the real gas constant, T and P are the LPFTP turbine inlet temperature and pressure respectively, and PR is the pressure 
ratio across the seal, i.e. Pexit/Pipfii. In this equation /(PR) has the form 

/(PR) = J. 1-PR 2 . (2) 

V 5 - ln(PR) 

Assuming adiabatic flow and choked conditions, the flow through the ring seal may be written as 


(tiring ** 0.685 7T Cd d CrmgP^xM \j — (3) 

V RTipui 

where d, and c f i«g now correspond to the shaft diameter and the ring seal clearance respectively. The multiplicative constant 
.685 is obtained using a specific heat ratio for hydrogen gas of 1.4. Assuming a common discharge coefficient of 0.9 for 
both seals and disk and shaft diameters of 6.0 and 2.0 inches respectively, equations 1 and 3 may be equated and the 
common terms eliminated to obtain 
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c iing 

cub 


(4) 


“ 4.381 


/(PR) 

PR 


This equality cannot be rearranged to obtain an analytical expression for the pressure ratio PR as a function of clearance due 
to the nature of /(PR). However, an approximation can be obtained by expanding equation 4 in a laylor series about 
PR=1. The result is 


PR * 2.0 


1 + Vl + .75 P(PR) 
(3(PR) 


( 5 ) 


where CR=Cn n g / ci B b and C(CR) is 

(3(CR) = 1.303 CR 2 + 7.0. ( 6 ) 

Thus with the clearance of each seal known, and the LPFTP turbine inlet state known, equation 5 may be used to obtain PR. 
With PR known, P e *it is known, and equation 3 may be used to obtain the flow rate through the seal. 

The clearance of the ring seal must be specified and a failure of the system is initiated by using a clearance which is 
much larger (approximately a factor of ten for the demonstration) than the nominal value which is assumed to be 3 nu s. 
The clearance of the labyrinth seal depends upon the speed of the turbine. Specifically, the governing equation ma> be 
written as 


where to is the turbine shaft speed in rad/sec. The 
constants at and a 2 where chosen such that the 
clearance is 5 mils at 100 percent power and 0 mils 
at full power. 

The LPFTP shaft seal model has been 
implemented on the real time SSME simulation by 
introducing these equations into the code. The 
mass flow rate through the seal system was 
subtracted from the low pressure fuel turbine 
discharge mass flow and added to the pump 
discharge mass flow. The pump discharge 
temperature was modified to account for the hot gas 
mixing with the cold liquid. Figures 2a, 2b. and 2c 
show the open loop response of the shaft seal failure 
at rated power. Chamber pressure was insensitive to 
the shaft seal failure, and lias been omitted. The seal 
degradation is shown on all plots to occur at four 
seconds and take place over a two second interval at 
a constant ramp rate. For the failure shown, the 
leakage rate from the turbine to the pump increased 
from a nominal 0.486 Ibm/sec to 1.66 lbm/sec 
causing a decrease in the LPFTP pump discharge 
pressure shown in Figure 2a as the turbine pumps 
less fuel from the tank. Figure 2b shows how the 
increase in hot gas entering the cool fuel from the 
supply tank results in a slight increase in pump 
discharge temperature. Both the discharge pressure 
and temperature along with the volumetric fuel 
flow from the pump and ch amber pressure are used 
to estimate the mixture ratio in the main 
combustion chamber. Figure 2c shows how the 
relatively minor leakage causes the mixture ratio 
estimate to degrade. The degradation is caused by 
the relatively large drop in the pump discharge 
pressure. The poor mixture ratio causes some 
difficulties for the multivariable control approach 
and is discussed in some detail later. The LPFFP 
shaft seal failure model provides the qualitative 
behavior of interest for closed loop analysis and 
development of accommodation strategies. 

HPFTP Turbine Tio Seal Failure . Turbine 
tip seals are designed to prevent leakage of gas 
between the outside ends of the turbine blades and 
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Figure 2a Open Loop Response of LPFTP Discharge Pressure to 
LPFT Shaft Seal Degradation 



Figure 2b Open Loop Response of LPFTP Discharge Temperature to 
LPFT Shaft Seal Degradation 
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the turbine casing. The rate of leakage which 
occurs in this region is generally very small 
compared to the total flow through the turbine; 
however, the effect on performance can be 
significant. The fluid leaking around the tip of the 
turbine blade disturbs the flow field on the rest of 
the aerofoil in a manner similar to crossflow over an 
airplane wing. This results in reduced lifting 
capacity of the blade and therefore reduced 
efficiency of the turbine. In order to prevent this 
effect, turbine blades are often shrouded on the 
ends. The shroud reduces the crossflow and 
subsequent sensitivity to tip leakage. Furthermore, 
the shroud is typically equipped with a labyrinth 
type tip sea! which cuts down significantly on the 
leakage flow. The HPFTP does not have shrouded 
blades however, due to high speed and inlet 
temperature. Sealing is therefore affected by 
maintaining as small a clearance as possible 
between the blade tip and the housing. A seal 
failure represents a change in this clearance to some 
value significantly larger than the design value. 
Experiments demonstrate? that the relationship 
between turbine efficiency and tip clearance is 
generally linear; however, the slope is strongly 
dependent on the number and degree of reaction of 
the turbine stages. Although it has been 
determined to be a relatively likely failures, no 
actual mention of the cause of the tip seal clearance 
change has been made or the degree of clearance 
change that is expected. Figures 3a. 3b, and 3c 
demonstrate the qualitative behavior of this failure 
in an open loop simulation of the real time SSME 
model for a 10% rainp decrease in turbine 
efficiency beginning at four seconds. Figure 3a 
shows a relatively slight decrease in chamber 
pressure resulting from the decrease in the HPFTP 
pump discharge pressure. The pump discharge 
pressure drops because the turbine is doing less 
work on the fluid for the given preburner 
temperature. Figure 3b shows both the estimated 
and actual MRs rising because of the drop in fuel 
being pumped by the HPFTP. Notice the slight 
degradation in the MR estimate as the failure 
propagates to its full value at six seconds. This 
degradation in the estimation scheme does not 
cause difficulties with the MVC as in the case 
discussed above. Figure 3c shows a dramatic rise in 
the HPFTP discharge temperature resulting from 
the decrease in the turbines ability to remove 
energy from the hot gas of the preburner. The open 
loop responses shown in these figures typify 
behavior for a decrease in efficiency of the high 
pressure fuel turbine and coincide with our 
physical understanding of the failure and its impact 
on performance parameters. 
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Figure 2c Open Loop Response of Mixture Ratio to LPFT 
Shaft Seal Degradation 
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Figure 3a Open Loop Response of Chamber Pressure to HPFT Tip 
Seal Degradation 


CONTROLS AND COORDINATION 

The control and coordination functions lie at the heart of the intelligent control system. Selection of failure 
modes for an on-line diagnostic system is driven by the nbility to accommodate such failures or degradations In hardware I 

using existing sensing and actuation. Additional sensing and actuation hardware may be considered by weighting expected I 

costs against benefits in conjunction with the likelihood of the failure occurring and the effect if left unattended. For this 
work, an additional actuator was selected for inclusion in an engine modeF based on recommendations from a study f 

performed by Rocketdyne 9 under contract to NASA LeRC. In addition, the instrumentation set on the Marshall Space | 

Flight Center Technology Test Bed is assumed. I 


Control of the SSME is accomplished through five valves shown in Figure 4. In particular, the Main Oxidizer 
Valve (MOV), Main Fuel Valve (MFV), Coolant Control Valve (CCV), Oxidizer Preburner Oxidizer Valve (OPOV), and 
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Fuel Preburner Oxidizer Valve (FPOV) are open 
loop scheduled to perform the startup and shutdown 
operations. In the actual SSME controller (Block I), 
only FPOV and OPOV arc used ns closed loop 
control valves for ina instage operation. To 
analytically explore the benefits of enhanced engine 
controllability, the Oxidizer Preburner Fuel Valve 
(OPFV) was added while the previous five valves 
were also considered for closed loop control during 
mainstageio. 

A number of measurement locations are 
shown in Figure 4 which represent a subset of the 
SSME test bed sensor suite. The discharge pressure 
and temperature of the Low Pressure Fuel 
Turbopump (Pall and Till i respectively) as well as 
volumetric fuel flow (Qrim)« and chamber pressure 
(P c ) are used for estimating mixture ratio (MR) in the 
existing SSME Block I controller. The discharge 
pressure of the High Pressure Fuel Turbopump (Pui 2 ). 
the discharge temperatures of the High Pressure Fuel 
and Lox Turbines (Tft2d and Totid respectively), 
the pressure of the Fixed Nozzle Heat Exchanger 
(P 4 ). the pressure of the Main Chamber Heat 
Exchanger (Py), and the fuel supply pressure of the 
prebumers (P9) are used in conjunction with P<. to 
form the sensor suite for the multivariable control. 

Multivariable control (MVC) methods 
generally rely on-linear state space models of the 
process to be controlled. A perturbation model of a 
simplified (39 state) nonlinear dynamic engine 
model at rated power was used for control design* 0 . 
The linear models of the SSME change very little 
from the 65% to the 109% power (thrust) level, 
therefore gain-scheduling was not required. MVC 
allows the integration of multiple objectives of P^ 
Mr, Tft2d, and Tot2d command following for 
example, while decoupling each of the control loops 
from the others using all six valves in Figure 4 as 
closed loop control valves. 
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Figure 3b Open Loop Response of Mixture Ratio to HPFT Tip Seal 
Degradation 
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The nominal controller is designed with 
the objective of providing the highest degree of 
fault tolerance and robustness possible for the Time (sec) 

engine using all available valves and some subset of 

available sensors while meeting specified pjg Ure 3 C Open Loop Response of HPFT Discharge Temperature to 
performance constraints. Ideally, the sensors selected HPFT Tip Seal Degradation 

for state estimation in the state feedback controller 

would be the most reliable and most accurate of the available instrumentation. However, a performance versus robustness 
tradeoffs must be made if the most reliable sensors result in a non-minimum phase realization to. 


A fault tolerant and robust control design for a rocket engine may be achieved in two ways using multivariable 
control. The first involves designing the controller to be insensitive to variations in the engine, mcxlelling errors, and 
sensor noise. A variety of formalized techniques for accomplishing this are available in the controls literature based upon 
the design methodology used. The second involves wisely selecting the variables for closed loop control. For example, a 
Traditional" control design would allow set point control of both P c and MR to provide variable throttling and near 
constant combustion temperature in the main chamber over a range of power levels, respectively. However, for a staged 
combustion cycle, controlling the discharge temperatures of the high pressure turbines provides a means of regulating the 
combustion temperatures in the fuel and lox preburners. Moreover, discharge temperatures are redline quantities on the 
SSME. Redline cutoffs resulting from a decrease in fuel turbine efficiency can be avoided! L In general, closed loop 
control of redline variables may widen the envelope of operation for the engine allowing greater flexibility for off design 
operation. Consequently, a fault tolerant multivariable control design can be achieved by including Tft2d and Tot2d m 
the controlled variable list along with Pc and MR for the set point controller. However, there may be a better choice given 
typical variations in engine builds and the difficulty of providing consistent and accurate measurements of turbine 
discharge temperature. The final selection must depend upon the practical aspects of implementing such a design on a flight 
system. 


RECON FIG URABLE CONTROL 

The notion of altering the structure of the controller to accommodate changes in the plant is very attractive for 
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fault tolerance. Much work has been done in the area of aircraft survivability in combat situations with a focus on actuator 
failures resulting from battle damaget2. However, most approaches are heuristic in nature due to the difficulty in 
generalizing results from a specific application and vary between apriori and on-line design. A common theme is to 
distribute the control effort for a failed actuator over the remaining, hopefully somewhat redundant actuators in the system. 

The SSME has six 
valves while the nominal 
engine controller has only 
four parameters as 
controlled quantities. 

Therefore, it would appear 
that the engine has two 
redundant valves for 
independent control of Pc, 

MR. Tft2d and Tot2d during 
mainstage operation since 
the input matrix of the 
design model is not rank 
deficient. However, the 
nominal control design* 0 
does not use MOV or MFV 
for mainstage operation 
since these two valves are 
primarily for startup and 
shutdown. In fact, MOV and 
MFV are kept wide open for 
all power ranges 
encountered during 
mainstage operation in the 
Block I controller. 

Therefore, it was concluded 
that these valves should not 

be moved for nominal engine operation by increasing the control weighing in the multivariable design. However, these 
valves can play a major role ill accommodating a failure in one or more of the primary control valves (FPOV, OPOV, CCV 
and OPFV). 

One approach for control reconfiguration for actuator failures is shown in Figure 5. The basic idea is to design a 
controller for each of the failure conditions and then switch designs once the failure is identified by the online diagnostic 
system. For example, if the position of FPOV sticks at a certain time in the mission, then a control law (ui p0 v) designed 
without the column corresponding to FPOV in the B matrix of the design plant is blended with the nominal control (u n om) 
to give the applied control (u ap p) as 

u«, n >(t) = (1-MO) Unom(t) + MO ufpov(t), where A(t) € [0,1 J. (8) 

As shown in the figure, the nominal and off-nominal control designs run in parallel to minimize startup transients associated 
with switching between controllers. The approach is straight forward from both a conceptual and implementation 
standpoint. The difficulty is selecting an acceptable blending rate A(t) between the nominal control and the new controI For 
the failure condition. Once the new controller is active, the closed loop performance and robustness are known from the 
apriori design. However, the approach lias several short comings. The most significant Being the high number of parallel 
controllers of order (N) for a potentially large number of failure scenarios (M) resulting in a control system of order N*M 
making implementation of such a system in flight hardware somewhat impractical. Another potential problem involves 
integrator windup for each of the controllers running in parallel but '‘off-line**. Windup may result in transients of the kind 
we hoped to avoid by running the controllers in parallel in the first place. However, this behavior has not been a problem 
to date and can be minimized further by ramping between controllers more slowly. The approach taken is not a panacea, 
however it does allow us to explore the potential benefits of using control reconfiguration in a relatively straight forward 
way. 

ENGINE L EV EL COORDINATOR 

The engine level coordinator may change the setpoints of the currently controlled variables to meet performance 
constraints, avoid detrimental operating conditions, change the controlled variables (i.e. mode switching), or select an 
alternate control structure to accommodate a failed or degraded component in the engine system as summarized by Figure 5. 
Moreover, degradations or failures of certain engine components may adversely affect performance limits. In this situation, 
the coordinator must recompute new limits based on information provided by the on-line diagnostic system. The engine 
level coordinator is responsible for meeting thrust and MR requirements set by the propulsion level to the extent possible 
while avoiding an engine shutdown condition. Engine shutdown is determined by the propulsion level coordination based 
on information provided by the engine level coordinator, relative health of the remainder of the propulsion system, and 
mission safety requirements. Information about the health of the engine and the necessary performance parameters are 
supplied to the propulsion coordinator to aid decision making at that level about each engine’s thrust and MR. 

A bottom up strategy has been adopted to develop algorithms for use in the engine level coordinator. For the 
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failure modes considered thus far, only the 
FPOV sticking has resulted in any identifiable 
coordination activity. If the valve sticks at 
some point during the Max Q maneuver, the 
maximum achievable thrust for the engine will 
decrease if the MR setpoint is observed. The 
job of the coordinator is to determine the 
maximum thrust as a function of the estimated 
position of the stuck valve and provide this 
new limit to the controller. The HPFTP turbine 
tip seal failure could have coordination 
activity by changing the set points for Pc, 
Tft2d, and Tot2d based on the estimated change 
in turbine efficiency. However, the MVC 
reaches a balance without any explicit changes 
in commands? thereby making the problem one 
of potential integrator windup. The LPFTP 
shaft seal failure may require some 
coordination, but this work must wait until an 
alternative MR estimation scheme is developed 
to provide a suitable value for the 
multivariable control. The HPOTP seal system 
failures have no direct affect on performance 
parameters, however off nominal operation 
such as slowing the pump down may help to 
avoid further degradations. However, our 
modelling efforts have not progressed to the 
level of detail which would allow some reasonable 


Propulsion 



Figure 5 Multivariable Reconfigurable Control Scheme 
assessment of the effect of speed on seal wear during failure propagation. 


ACCOMMODATION STRA TE G IES 

Accommodation strategies have been developed for the sticking of FPOV and the HPFTP turbine tip seal failure. 
The simulation results for accommodation of the turbine tip seal failure have been published elsewhere* l and will not be 
repeated here. Further work is required for the LPFTP shaft seal and possibly the HPOTP shaft seal system. The MVC is 
marginally unstable for a nontrivial leakage in the LPFTP shaft seal when using the MR estimation algorithm developed for 
the Block l control. The reason for this has roots in the differing design philosophies between Block I and the MVC. The 
MVC has MR as the “fast” control loop while the Block 1 control as Pc as the “fast” loop. Having MR as the faster loop 
provides better control of temperature deviations in the engine cycle and results in a lower order controller since the MR 
response is much slower than P c . Oscillations in the MR response result from the impact of the LPFTP shaft seal failure on 
the quality of the MR estimate as shown earlier in Figure 3a. while the Block I control experiences no difficulty in 
regulating P c and MR. Work is in process to develop an alternative MR scheme using a kalman filter to alleviate the 
marginal instability with the MVC, 


FPOV Sticking. The sticking of the 
FPOV during the thrust bucket of the SSME 
mission could result in extreme structural 
loading on the orbiter vehicle with possible 
loss of mission if an accommodation strategy 
does not allow completion of the transient. To 
accomplish the accommodation, an off- 
noininal control may be designed which makes 
use of the remaining valves 
(OPOV,MOV,MFV,CCV, and OPFV) to provide 
closed loop control of MR and P c while 
ignoring turbine discharge temperatures. Once 
the on-line diagnostic system has diagnosed the 
failure and estimated the position of the failed 
valve, the coordinator can compute the 
maximum possible P c for the engine without 
forcing MR off nominal (6.011). The 
coordinator generates new commands for the 
engine and initiates control blending using the 
approach outlined above. Once control 
reconfiguration is complete, the off nominal 
control provides variable throttling and MR 
control throughout the remainder of the 
mission with a new limit on maximum thrust 
for that engine. 


Uncoordinated MVC 

Uncoordinated Thrust Command 



The off-nominal controller without 

the FPOV is synthesized using the same control Figure 6 Chamber Pressure Response for Thrust Bucket with Valve Failure 


7 







structure, design methodology and sensor suite 
employed with the nominal controller. Control of 
MR without using the FPOV is n very difficult task 
since the MR response depends heavily on this valve. 

In fact, the Block I control uses FPOV exclusively 
for MR regulation. The design procedure! 0 resulted 
in a controller of the same order as the nominal 
control and uses four valves (OPOV, CCV, OPFV and 
MFV) to decouple the MR from the P c response. 

Theoretically, decoupling using fewer valves is 
possible. However the objective was to demonstrate 
the capability of recovering from a failure in a 
primary control valve while preserving control of Pc 
and MR. The off nominal control performs 
satisfactorily over inainstage without gain 
scheduling as does the nominal control. 

Figures 6 and 7 show the P c and MR 
responses for the thrust bucket maneuver, 
respectively. Figure 6 includes five curves with two 
sets of two being identical until after approximately 
the eleven second mark and are highlighted w ith a Figure 7 Mixture Ratio Response for Thrust Bucket with Valve 
rectangle. The coordinated and uncoordinated MVC Failure 

and thrust command demonstrate the importance of the engine level coordination. The Block I controller response is 
included for reference purposes to motivate the need for accommodation. The failure of FPOV occurs at exactly three 
seconds into the transient when the valve locks up. The responses shown assume identification takes place instantly which is 
certainly unrealistic. The plots show the best you can do with the reconfigurable MVC. Any delay in identification will 
degrade the performance of the accommodation scheme. Very little perturbation is seen during accommodation of the valve 
by the MVC while the Block I control is smooth since OPOV is responsible for P c control. Figure 7 shows the degradation 
in MR control when the valve sticks for both MVC and Block I. However, reconfiguration of the MVC by four seconds 
(blending) begins to return MR to the design point while the Block I response shows the coupling between P c and MR. 

If the coordinator does not lower the maximum P c for the engine based on the position of FPOV then the responses 
shown for the “Uncoordinated MVC’ result. Figures 6 and 7 show the tradeoff between P c and MR when “too much” thrust 
is requested from the engine. Neither P c or MR can meet demand, therefore the MVC balances the errors based upon the 
relative weights used in the design procedure. The imbalance is exemplified by the Block I control which meets requested 
thrust while MR in Figure 7 increases 
to 7% over nominal. If coordination 
takes place, then the responses 
labelled “Coordinated MVC” result. 

Figure 6 shows how a decrease in 
demanded thrust for the MVC can be 
achieved while keeping MR in 
Figure 7 at or about the nominal 
setting, A decrease in demanded 
thrust by a particular engine in a 
propulsion system can be 
compensated for by other "healthy” 
engines in the cluster without 
compromising the mission. 


INTELLIGENT CONTROLS 
GRAPHICAL USER INTERFACE 


The Graphical User 
Interface (GUI) was developed to 
allow the ICS to be monitored 
during operation. The GUI permits 
operators to observe the ICS in real- 
time operation as it accommodates 
faults in components, sensors, and 
actuators, using a collection of 
screens designed to provide a clear 
illustration-through plots, text, and 
aiirmation-of the entire process. The 
GUI is a full-color, object-oriented Figure 8 Main Screen for the Intelligent Control System Graphical User Interface 
system consisting of a set of screens arranged hierarchically. Each screen consists of three windows: a mouse-sensitive 
graphical display window containing a diagram of a component or system, a plotting window depicting lime responses of 
key variables associated with that component or system, and an interactive type-out window displaying messages and 
allowing the user to enter commands. When the mouse pointer is over a selectable object in the mouse-sensitive graphical 
display window, a box appears around the object and its name is displayed at the bottom of the screen. Clicking on it brings 
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up the screen corresponding to the object. The hierarchy of screens may be viewed in this manner. Figure 8 shows an 
example screen. The (op window contains a view of the space shuttle main engine composed of selectable objects, the 
window on the lower left displays messages, and that on the lower right displays plots. One of the components is selected ns 
indicated by the box around it and its name is displayed in the lower left corner of the figure. The GUI plots time responses 
of important variables and indicates failures to the user through messages in the type-out window and by causing failed 
mouse-selectable components to flash. The user may bring up more detailed screens by clicking on the objects. Because of 
the modular, object-oriented nature of the GUI, the creation of additional screens is simple and quick. Thus appropriate 
screens can be added easily as more failure modes are incorporated into the testbed system, 

SUMMARY 

Demonstration of an Intelligent Control System for reusable rocket engines (SSME) is on-going at NASA LeRC. 
To facilitate this process, a preliminary subset of failure modes was selected from the set of all accommodatable failure 
modes. In particular, failure of a control sensor (P c ), a frozen Fuel Preburner Oxidizer Valve, a Low Pressure Fuel Turbo 
Pump shaft seal failure, a High Pressure Fuel Turbo Pump turbine tip seal failure, and a High Pressure Oxidizer Turbo Pump 
shaft seal failure were selected. Due to the requirement of accommodating engine failures or degradations, hot fire data 
cannot be used in closed loop evaluation and serves to validate health monitoring algorithms only. Consequently, a 
modelling effort is ongoing to study the effects of the failures on SSME performance and some results to date have been 
included. Modelling has focused on first order effects and little attention has been paid to the propagation of failures or the 
potential negative impact of off nominal operation of the engine and subsequent failures. These are important issues, 
however our focus is constrained given available resources to address this complex problem. 1 he failure models are used to 
study the behavior of the engine as a failure occurs during closed loop operation with a nominal engine controller. If 
unacceptable behavior results, the operating point or the set of controlled variables or both is changed to accommodate the 
problem by the engine level coordinator. If none of these actions resolves the anomalous behavior, an alternate control 
design is performed off-line to meet the requirement of fault tolerance. A reconfiguration scheme has been presented which 
allows switching between predesigned controllers running in parallel based on the identified engine failure. An example 
using a stuck Fuel Preburner Oxidizer Valve was given to illustrates these ideas on a realtime simulation of the SSME. 
Results show that successful accommodation of primary control valves can be achieved using control reconfiguration in 
conjunction with a multivariable design methodology. Finally, the graphical user interface for the Intelligent Control 
System project was presented which aides the analysis of the system during accommodation of simulated engine failures. 
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